FIG. 1 depicts the elements that make up a typical computer for use in presenting and maintaing an application. The computer 100 consists of a Base Computer 101 which comprises a processor 106, storage media such as a magnetic disk 107 and a high speed volatile main memory 105. An operating system and application programs 111 reside on the storage media 107 and are paged into main memory 105 as needed for computations performed by the processor 106. The Base computer may include optional peripheral devices including a video display 102, a printer or scanner 110, a keyboard 104, a pointing device (mouse) 103 and a connection 108 to a network 109. In a client environment, a user will interact with a (Graphical User Interface) GUI by use of a keyboard 104 and mouse 103 in conjunction with the display of information on the display 102 under control of an application program (application 1) 112. The client application program 112 will then interact with remote users by way of the network 109.
In FIG. 2 an example Internet system is shown. A user 210 at client 1 201 uses applications on his system. This user (user 1 210) at client 1 201 can interact with clients 2-4 202-204 by way of a client server computer 206. Applications 112 may be provided by each client 201-205 and or the client server 206 or some remote server 208 by way of the network 207. The user at client 1 201 can interact with a remote user (user 5 211) at client 5 205 by way of the Internet 207.
One way that computers interact via networks such as the Internet is using the HyperText Transfer Protocol (HTTP) open standard designed by the World Wide Web Consortium (W3C) and standardized as Internet Engineering Task Force (IETF) RFC 2616. It is an intentionally simple and open protocol that is implemented across many heterogeneous computer systems.
An “HTTP Redirect” is a mechanism in which an HTTP Server can indicate to the user-agent that further action is needed to fulfill the request. A simple example is a resource moving to a different location. The original server can provide a pointer to the new location of the resource, and can further indicate that the pointer is intended to be permanent or temporary.
“Encoding” is the formatting of data according to a standard format. Base64 encoding (described in IETF RFC 1521) is a way of representing an arbitrary binary stream as the lower 65 characters in the ASCII alphabet. “URL Encoding” is a way in which strings meant to represent the arbitrary characters to which a given universal resource locator (URL) can be mapped within the bounds of the allowed url-safe subset of the ASCII alphabet.
“Encryption” is the act of encoding a file to prevent any person but the intended recipient(s) from reading it. “Hashing” is the act of applying a one way function to generate a fixed length value from an input of arbitrary size. The output of the hash function is useful for determining if content has been altered. “MD5” and “SHA” are some popular example hashing algorithms. :Signing” (also known as “digital signing”) combines encryption with hashing to generate a representation of an object that can be proven to have been generated only by the sender. Digital Signature Standards (DSS) by Federal Information Processing Standards Publication 186 (May 19, 1994) and can be found at on the Internet.
“Extensible Markup Language” (XML) is an open standard from the W3C. XML is a standard way of presenting information such that the content describes itself. It is both human and machine readable. The format of a XML document can be specified externally, and document can be validated against these external specifications.
A “remote procedure call” is a way in which one computer can ask a second computer to perform an operation on some given input on its behalf and return the result. A World Wide Web (web) service is a remote procedure call that is encoded in XML and can be transported over HTTP as well as other mediums. Popular Web service protocols are SOAP and XML-RPC.
In the context of computer security, “authentication” and “authorization” are two different processes. Authentication is the process of establishing the identity of a client. Authorization is the process of taking the confirmed identity of a client and determining if that client is allowed to perform the requested actions.
User authentication and authorization are some of the fundamental security concerns of enterprise computing. Management of user access to resources within an enterprise becomes increasingly difficult as the number of resources grows particularly if the access of users must be managed at the individual resource. The user takes on an increasing burden if he/she must remember a long list of different user identity and password combinations in order to access a large number of resources. Significantly, the longer the list gets, the more chance there is that the user will begin to insecurely store such passwords and inadvertently cause a security breach.
Centralizing the administration of user id and passwords provides an enormous benefit to an enterprise of even a small size. For example when an employee separates from the enterprise, the access formerly granted to that user can be centrally and instantly revoked. A given user can use the same id and password to login at every site that chooses to allow him or her access. In a system like this, when the user attempts to use a given resource, the user is prompted for a user id and password, which is forwarded by the resource to a central user id and password repository which will confirm the validity of the entered user identity and password combination. LDAP and Microsoft Windows networking are examples of such systems.
Having a central ID and password store is a big leap, but there is still a vulnerability in the system. Computers on the network are trusted with the handling of sensitive passwords. A rogue computer could be configured to log or otherwise improperly disseminate the passwords of each user that logs in to that system. Another solution is to have a trusted central authority that will be the only system to handle password related information. The trusted system then needs a way to notify the individual resources of the confirmed identity of a given resource. Microsoft Passport and DCE/kerberos-like systems are examples of this kind of central authentication systems.
The prior descriptions of the various enterprise security schemes are simplified to only encompass authentication. Security systems typically retrieve authorization information along with the authentication information.